COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to build fully homomorphic encryption FHE from indistinguishability obfuscation io. In previous applications, we use io in conjunction with one-way functions OWF. However, it seems that OWF alone is not sufficient in this case. We know that FHE implies collision resistance hash function CRHF [IKO 05]. Therefore, if we can obtain FHE from io and OWF, we will also get CRHF. However, there is an argument not a concrete proof that io and OWF alone is unlikely to imply CRHF [AS 15]. As such, we believe that in order to build FHE from io, we are going to need more than just OWF. 2 Construction of FHE from io 2.1 First Attempt Suppose we have a public key encryption PKE scheme consists of three algorithms: Gen PKE, Enc PKE, and Dec PKE. We are going to start of with a FHE scheme that looks very similar to what we have seen with other applications of io: Genλ: dk, ek Gen PKE λ, K Gen PRF λ. Sets ek as the encryption key and dk, K as the decryption key. Outputs ek, dk, K. Encek, m: Enc PKE ek, m Decdk, ct: Dec PKE dk, ct Evalop, ct 0, ct 1 : Outputs ObfP dk,k,ek op, ct 0, ct 1 where op is an operation +, and ObfP dk,k,ek is an obfuscation of the following program: P dk,k,ek op, ct 0, ct 1 : m b = Decdk, ct b b {0, 1} r = PRFK, op, ct 0, ct 1 Outputs Encek, m; r 1
Note that obfuscation only works with deterministic programs. Since the encryption algorithm is necessarily randomized, we need to explicitly calculate the random coin r and give it to Enc in P dk,k,ek. However, we do not know how to prove security with the above construction. Therefore, we will have to relax the definition of FHE. 2.2 Leveled FHE In a regular FHE scheme, the homomorphic operation should produce a ciphertext under the same encryption key as the two input ciphertexts. However, in a leveled FHE scheme, we will allow the homomorphic operation to produce a ciphertext under a different encryption key. So instead of just one pair of ek, dk, we now have ek 1, dk 1, ek 2, dk 2,..., ek n, dk n. If we add or multiply two ciphertexts under ek 1, we will get a ciphertext under the next level ek 2. As long as the users have all the decryption keys, they would be be able to decrypt any messages. If we want to perform operation on two ciphertexts at different levels, we can simply add an encryption of 0 under the appropriate ek to the ciphertext of lower level to push it up the levels. Our homomorphic evaluation now consists of the obfuscations of multiple programs one for each level of encryption. P i dk i,k i,ek i+1 op, ct 0, ct 1 : m b = Decdk i, ct b b {0, 1} r = PRFK i, op, ct 0, ct 1 Outputs Encek i+1, m; r However, this leveled FHE scheme still implies CRHF, and therefore is affected by the implausibility result which suggests that we cannot build it from just io and OWF [AS 15]. As such, we will need to modify this program. The last program in the sequence is P n 1. Our goal is to change this program so that instead of outputting the resulting ciphertext, it would always output an encryption of 0: 2
Q n 1 K n 1,ek n op, ct 0, ct 1 : r = PRFK n 1, op, ct 0, ct 1 Outputs Encek n, 0; r Since Q n 1 K n 1,ek n ignores the input messages completely, it does not need dk n 1. If we are able to change the last level of P into Q, then we will be able to work up the chain of programs and get rid of all dk i. 2.3 Indistinguishability of P and Q In order to argue indistinguishability between P and Q, we are going to impose some arbitrary ordering on the input of the programs: op, ct 0, ct 1. If we think of the input as a sequence of bits, then this can just be the normal ordering of the bits. We now define a new program R which will also include R n 1,t op, ct 0, ct 1 : r = PRFK n 1, op, ct 0, ct 1 If op, ct 0, ct 1 < t Outputs Encek n, 0; r Else m b = Decdk n 1, ct b Outputs Encek n, m; r R n 1,t outputs encryption of 0 for all inputs below the threshold t, and computes the resulting ciphertext correctly for the rest of the inputs. Notice that for t = 0 minimum value in the ordering, then R n 1,t is equivalent to P n 1. If the threshold is set at MAX, where MAX larger than any possible input values, then R n 1,t is functionally identical to Q n 1. We want to show that: Obf R n 1,t c Obf R n 1,t+1 Essentially, we will show that we can move the threshold t up or down 1 at a time and still preserve security. This will definitely change the functionality of R. However, we are going to argue that R n 1,t and R n 1,t+1 are still indistinguishable. Notice that R n 1,t and R n 1,t+1 differs on only one input t. On all other inputs, the two programs are identical. We can then prove indistinguishability using a series of hybrids: H 0 : The first hybrid corresponds to R n 1,t 3
H 1 : Let the threshold t = op, ct 0, ct 1 and K n 1 {t} be the punctured PRF key at t. r PRFK n 1, op, ct 0, ct 1 m = Decdk n 1, ct 0 op Decdk n 1, ct 1 ct Encek n, m ; r We now replace R n 1,t with a new program R n 1,t : R n 1,t dk n 1,K n 1 {t},ek n,ct op, ct 0, ct 1 : If op, ct 0, ct 1 = t Outputs ct Else r = PRFK n 1 {t}, op, ct 0, ct 1 If op, ct 0, ct 1 < t Outputs Encek n, 0; r Else m b = Decdk n 1, ct b Outputs Encek n, m; r We can see that R n 1,t is functionally identical to R n 1,t in H 0. Therefore, by io security, we can conclude that H 0 c H 1. H 2 : In this hybrid, we replace r with uniformly random value. We can argue that H 2 is indistinguishable from H 1 using puncturable PRF security. H 3 : We now set ct = Encek n, 0; r. Indistinguishability of H 3 and H 2 follows from security of the PKE scheme. r is not used anywhere except in the encryption of ct. So in H 2, we have a fresh encryption of m, and in H 3, we have a fresh encryption of 0. By PKE security, an adversary without the decryption key cannot tell the difference between these two ciphertexts. H 4 : We set r back to be PRFK n 1, op, ct 0, ct 1 and use punturable PRF security to argue that H 3 c H 4. H 5 : We replace R n 1,t with R n 1,t+1. Since the two are now functionally identical we replace the hardcoded value at t with encryption of 0 in H 3, we can conclude that H 4 c H 5 by io security. We have now shown that: Obf R n 1,t c Obf R n 1,t+1 4
So if we continue the chain from t = 0 to t = MAX, we will have: P n 1 = R n 1,0 c R n 1,1 c... c R n 1,MAX 1 c R n 1,MAX = Q n 1 So it seems that we have successfully shown that P n 1 is indistinguishable from Q n 1. However, there is a problem in this proof. Let l be the length of the ciphertexts produced and T be the size of the set of all t values. We have T = 2 l, so the advantage is 2 l neglλ. However, since negl only means that the function is smaller than any inverse polynomial, 2 l neglλ is not necessarily negligible. In addition, it is not hard to show that in any secure PKE scheme, the ciphertext size must be at least λ. Therefore, the advantage is 2 λ neglλ. Unfortunately, we do not know how to solve this problem. The only thing we can do is to assume that the indistinguishability between each R is very strong. 2.4 Subexponential io We give a new definition of io called subexponential io: Definition 1 Subexponential io. For all functionally equivalent circuits C 0, C 1 and for all PPT adversaries A, there exist a constant c 0, 1] such that P r[aobfc 0, λ] = 1] P r[aobfc 1, λ] = 1] < 1 2 λc This is a stronger definition of io. We do not know that this is possible. However, it turns out that for io and other cryptographic primitives, the best known attacks have had this kind of probability. So it is plausible to assume that there is no kind of attack with higher success probability. If we use subexponentially strong io and PRF, no attacker will be able to distinguish between H 0 and H 5 with probability better than 2 l 5 2 for level n, where λnc λ n is the security parameter for the level. To make the value 2 l 5 2 small, we λnc are going to set λ n >> l 1 c λ n 1 1 c λ n 1 is the security parameter of the previous level. We are raising the security parameter for the next level to be bigger than the previous level. However, this means that λ n is exponentially big in n, which means that our obfuscated programs and ciphertexts have to also be exponentially big. We can fix this problem by introducing another primitive. 2.5 Lossy Encryption Until now, we have not use anything more than io and OWF. As mentioned before, FHE is unlikely to follows from just io and OWF. Therefore, we are going to need a new primitive called lossy encryption. 5
Definition 2 Lossy Encryption. A lossy encryption scheme consists of four algorithms: Genλ dk, ek Encek, m ct Decdk, ct m Gen Lossy λ ek There is a strong requirement that the distribution of the encryption of 0 and 1 under ek Gen Lossy λ must be identical. For all ek Gen Lossy λ and ciphertext ct: P r[encek, 0 = ct] = P r[encek, 1 = ct] Clearly this cannot be the case for ek generated with dk from Genλ, since we will not be able to decrypt otherwise. Basically, ek Gen Lossy is a lossy key since it loses all information about the message. For security we requires that: ek Gen Lossy λ c ek : ek, dk Genλ We can build lossy encryption from Decisional Diffie-Hellman DDH, factoring, and learning with errors LWE assumptions though the distribution of ciphertext for 0 and 1 under lossy key are only statistically indistinguishable, not identical, in the case of LWE. We now go back to the proof and, before we switch from P to R, replace the encryption key with a lossy key. So P n 1 will be replaced with: P n 1,Lossy : dk n 1,K n 1,ek Lossy n m b = Decdk n 1, ct b r = PRFK n 1, op, ct 0, ct 1 Outputs Encek Lossy n, m; r We can make this change because P n 1 does not include the corresponding decryption key for ek n. Now we can repeat the sequence of hybrids, except that we do not need to invoke PKE security between H 2 and H 3 since the encryption key has been replaced with a lossy key, which has identical distribution for encryption of 0 and 1. We no longer invokes security of the encryption scheme for every step of the hybrid, only from P n 1 to P n 1,Lossy. At a high level, we have separated the dependency between the security parameter and the input size. Let λ 0 be the security parameter of the encryption scheme. We will now set security of io and puncturable PRF to be λ 1 >> l 1 c λ 0 1 c. 6
2.6 The Rest of the Proof We have now proved security of P n 1. From here, we can prove the security of P n 2, because once we have switched to Q n 1, we no longer have dk n 1. We can then repeat the process to replace the program at each level with Q. Once we get to level 0, we can simply prove security using PKE security. 3 From Level FHE to Full FHE Note that we have already known how to build leveled FHE under the LWE assumption before. However, we do not know how to turn this into the full FHE scheme we wanted. In both leveled FHE constructions from LWE and io, the number of levels are bounded. However, it turns out that we can turn the level FHE construction from io into a full FHE scheme with subexponential hardness assumption. Briefly, the instead obfuscate a program P which takes in a level n and outputs the obfuscated program P n for that level. P n : Outputs ObfP n Here dk n 1, K n 1, and ek n are generated by a PRF. At the end, we have a program of fix size that we can use to generate ObfP n for a new level by feeding it n. References [AS 15] Asharov, G. and Segev, G. Limits on the power of indistinguishability obfuscation and functional encryption. Proceedings of the 56th Annual IEEE Symposium on Foundations of Computer Science, 191-209, 2015. 1, 2 [IKO 05] Ishai, Y., Kushilevitz, E., and Ostrovsky, R. Sufficient conditions for collision-resistant hashing. Theory of Cryptography Conference, 445-456, 2005. 1 7